Anti-Bot

What Is F5 Shape Security?

What Is F5 Shape Security? — conceptual illustration
On this page

F5 Shape Security is the most sophisticated anti-bot product on the market — F5 paid $1 billion to acquire Shape in 2020 and the price reflects what it does. An anti-bot is software a website runs to tell real human visitors apart from automated scripts. Shape's trick: it runs a tiny custom computer (a "virtual machine") inside your browser using JavaScript. The code your scraper has to execute is not normal JavaScript — it is a private instruction set (bytecode), rebuilt with every deployment, that standard reverse-engineering tools cannot decode. The session tokens it issues (reese84) expire in minutes. For teams collecting data they are permitted to access at scale, the engineering cost of building and maintaining a do-it-yourself integration typically exceeds the cost of a managed API within weeks.

Quick facts

Acquisition$1B by F5 Networks (2020)
Token cookiesreese84, TS*, $rsc= URL params
Token expiryMinutes — tight rotation cadence
ArchitectureCustom JS VM with proprietary bytecode
DIY viabilityCostly at scale — managed APIs are common

Why Shape is different

Most anti-bots ship JavaScript that is scrambled (obfuscated) but still standard — given enough effort, you can untangle it. Shape is different. It ships a JavaScript program that interprets a custom bytecode language — its own private set of instructions. Your browser downloads both the bytecode and the interpreter that runs it, and those instructions map to no standard browser API. So even with Wireshark, mitmproxy (tools that let you watch the traffic), and a deobfuscator, there is, in any normal sense, no source to read.

The challenge code is also regenerated on every rotation. The bytecode produced this hour does not match last hour's, so any analysis of it goes stale within days. This is what makes Shape the most engineering-intensive anti-bot product to work with.

How teams approach Shape-protected access

1. Web and mobile endpoints often differ. Shape is usually deployed only on the website, not the mobile app. The same brand's iOS or Android app often talks to a completely separate API with a different architecture — frequently just simple Bearer-token auth (a token sent in the request header to prove who you are). When you are authorized to access a service's data, understanding which endpoint carries which protections explains why integration effort varies so widely across the same brand.

2. Managed APIs handle the heavy lifting. For full-VM cases, building it yourself rarely pays off. Benchmarked success rates (Scrape.do 2025): Bright Data Web Unlocker 98.44%, Zyte 93.14%. A managed provider runs the browser environment, the residential proxies, and the token rotation behind the scenes, so teams accessing data they are permitted to use do not maintain that machinery themselves.

The economic threshold

A senior scraping engineer costs roughly $700–1,500/day fully loaded (salary plus overhead). Bright Data Web Unlocker is around $3 per 1,000 successful requests; Scrappey's full-browser tier is €1.00 per 1,000. Once Shape is involved, the math almost always favors a managed API. The break-even rule of thumb: if maintaining an in-house Shape integration costs more than two engineer-days per month, that portion is usually better handed to a managed provider.

Token mechanics also explain the maintenance burden: each reese84 token is valid only for a few minutes, so any integration has to re-acquire tokens frequently, and tokens are bound tightly to a single session and IP. These constraints are why DIY maintenance grows expensive over time.

Code example

python
# Illustration: many brands expose a separate, differently-protected mobile API.
# When you are authorized to access a service's data, a simple Bearer-token
# endpoint behaves very differently from a Shape-protected web page:

from curl_cffi import requests

r = requests.get(
    "https://api.brand.com/v2/products",
    impersonate="chrome131",
    headers={
        "Authorization": "Bearer <token from mobile app>",
        "X-App-Version": "4.2.1",
    },
    proxies={"https": "http://user:pass@residential:port"},
)
print(r.status_code, r.json())  # often 200, no Shape, no reese84

Related terms

What Is Anti-Bot Detection?
Anti-bot detection is the set of techniques websites use to tell automated traffic apart from real human visitors — and then block, challeng…
What Is Mobile API Scraping?
Mobile API scraping means watching the traffic a vendor's phone app sends to its servers, then making those same requests yourself from Pyth…
What Is a Residential Proxy?
A residential proxy sends your web traffic through a real home internet connection — a regular broadband or fiber line — instead of through …
What Is a Web Scraping API?
A web scraping API is a hosted HTTP service that visits a web page for you and hands back the result — rendered HTML, JSON, or already-parse…
Anti-Bot Vendor Detection Cheatsheet
A useful first step when working with any protected site you are authorized to access is identifying which anti-bot vendor sits in front of …
What Is Browser Extension Detection?
Browser extension detection infers which extensions are installed by probing for the resources and side effects they expose to web pages. Ex…
What Is Anubis (Anti-AI-Scraper Firewall)?
Anubis is a free, open-source MIT-licensed "gatekeeper" that sits in front of a website (a reverse proxy - software that intercepts requests…

Concept map

How F5 Shape Security connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Anti-Bot
Building map…

Tools & solutions for this topic

Frequently asked questions

Why is Shape so much harder than Cloudflare or Akamai?

Because the challenge runs inside a proprietary virtual machine — a custom mini-computer Shape builds in the browser. Cloudflare and Akamai ship scrambled but standard JavaScript, which can eventually be reverse-engineered. Shape ships bytecode for a private instruction set, regenerated on every rotation, so the reverse-engineering cycle never finishes — by the time you understand it, it has changed.

Can a plain HTTP client like curl_cffi work with Shape-protected endpoints?

For Shape-protected XHR endpoints (the background data calls a page makes), no. The JavaScript VM must run and produce a reese84 token before any protected request is accepted, and curl_cffi cannot run JavaScript. For the rare Shape-protected page where the data is already in the initial HTML, an HTTP client can read it. Web and mobile endpoints often carry different protections, which is why integration effort varies.

How long do reese84 tokens last?

Typically a few minutes. Because tokens expire quickly, any integration has to re-acquire them frequently, which is one reason in-house solutions carry high maintenance overhead.

What sites use F5 Shape?

Major US banks, airlines, ticketing platforms, and retailers — the kinds of customers willing to pay enterprise-tier anti-bot pricing. There are no maintained public lists, but checking cookies is the fastest way to confirm: open your browser dev tools and look for a reese84 or TS* cookie.

Last updated: 2026-05-31